“Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked con- tent, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic. In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.”

Related – via NPR – “In the first major review of VPN providers, researchers from across the globe tested nearly 300 free VPN apps on Google Play. What they found was alarming. Nearly 40 percent injected malware or malvertising. And nearly 20 percent of the apps didn’t even encrypt user traffic. This month, the Center for Democracy & Technology filed a complaint with the Federal Trade Commission alleging the VPN Hotspot Shield collects data and intercepts traffic. If true, that would be a direct violation of claims by the company’s policy to “never log or store user data.”

US Cert Security update: Preventing and Responding to Identity Theft “You can be a victim of identity theft even if you never use a computer. Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers, and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through… Continue Reading

Follow up to previous posting – Equifax is one of many companies that collect information about you – via [email protected] – “In the annals of data breaches, the Equifax hacking stands alone due to its sheer scale: Digital thieves traipsed through the personal information of 143 million Americans for several months to do with it… Continue Reading

Via NBR/CNBC: “There are literally hundreds of smaller consumer-reporting companies [33-page PDF] operating in the U.S. and the smaller ones are collecting information you might not expect. The Consumer Financial Protection Bureau maintains a self-reported list of the companies. Consider Milliman IntelliScript, for example. The company collects information on the prescription drugs you buy. If… Continue Reading

eSecurity Planet: “The massive Equifax breach that recently affected 143 million consumers would have led to hugely significant fines if the European Union’s General Data Protection Regulation (GDPR), which takes effect in May 2018, had already been in place. Under the new rules, organizations that fail to protect sensitive data can be fined up to… Continue Reading

Ring, ring. “This is Equifax calling to verify your account information.” Stop. Don’t tell them anything. They’re not from Equifax. It’s a scam. Equifax will not call you out of the blue. That’s just one scam you might see after Equifax’s recent data breach. Other calls might try to trick you into giving your personal… Continue Reading

Via EveryCRSReport.com: Justice Department’s Role in Cyber Incident Response August 23, 2017 R44926. “Criminals and other malicious actors increasingly rely on the Internet and rapidly evolving technology to further their operations. In cyberspace, criminals can compromise financial assets, hacktivists can flood websites with traffic—effectively shutting them down, and spies can steal intellectual property and government… Continue Reading

CNET: “…According to Equifax, which released a statement today, the company’s database was breached through a vulnerability on its website, exposing the personal information of an estimated 143 million people, including some in the UK and Canada….Equifax has set up its own program to help people find out if they were one of the millions… Continue Reading

“In August 2017, SecurityScorecard analyzed and scored the current security posture of 552 small, medium and large U.S. government organizations with more than 100 public-facing IP addresses, to determine the state of government cybersecurity programs today. In this report, 2017 U.S. State and Federal Government Cybersecurity Research Report, you’ll learn: Top performing U.S. State and… Continue Reading

Russia: Background and U.S. Policy, Cory Welt, Analyst in European Affairs, August 21, 2017. “Over the last five years, Congress and the executive branch have closely monitored and responded to new developments in Russian policy. These developments include the following: increasingly authoritarian governance since Vladimir Putin’s return to the presidential post in 2012; Russia’s 2014… Continue Reading

Subscribe to our Mailing List

Follow beSpacific

Searchable Database – Over 40,000 Postings

Searchable database of over 40,000 postings!

Support beSpacific

Research updates provided daily since 2002, with an emphasis on primary sources.

2016 Awards for BeSpacific

American Bar Association

BeSpacific: “No one better has her finger on the pulse of the legal information world than Sabrina Pacifici, law librarian and author of the blog BeSpacific,” writes blogger Robert Ambrogi. “Launched in 2002, BeSpacific is one of the longest-running legal blogs and, remarkably, Sabrina seems more prolific today than ever. She posts multiple items every day, covering the gamut of law, technology and knowledge discovery and topics ranging from cybersecurity to legal research to government regulation to civil liberties to IP and more. For me, BeSpacific is one of my daily must-reads and has been for 14 years straight.”

Pages

LLRX

Sabrina is also the solo Editor, Publisher and Founder of LLRX.com® – Legal, technology and knowledge discovery resources on the “moving edge” for Librarians, Lawyers, Researchers, Academic and Public Interest Communities – launched in 1996.